Simple registration+login using OAuth 2.0_问答_开发者

I am a bit confused about OpenID OAuth stuff. (by OAuth - i mean OAuth 2.0 here and later)

My target is to create a site with OpenID (or OAuth) auth as well as with legacy email + password auth. The site will be on django framework. (python) I understand difference between OAuth and OpenID and diff between authorization and authentification.

My primary goal is to implement openid login with google as identity provider.

The login and register flow must be just like on many sites. As i see:

register scenario:

1) user enters openid url (clicks google button)

2) user gets redirected to auth provider ( google ) page says: "Awesome site" ask for your: email, language, country...

3) user says yes.. gets redirected back behind the scenes "Awesome site" retries email language and other user info using access token

4) User fill other stuff needed in profile.. and this is it.. hes now registered.

Login scenario:

1) user enters openid url (clicks google button)

1.a) if user already logged in on auth provider hmm... it is unclear to me.. but somehow user get logged in without displaying a provider page (maybe it is closes fast? )

1.b) if the user not logged on provider then provider displays login page and redirect back to awesome site on success.

Because i have to get some user data it is seem to me that i have to use: OAuth or Hybrid ( OpenID + OAuth extentions ) protocol.

The things that are not clear to me:

How do i get scopes for info i need.. i searched but cant find.. found on someones blog "https://www.googleapis.com/auth/userinfo#email" for email but how about user language, country.. etc.. where it is documented ?
If i will use OAuth - will it be enough to do both - the registration and login or i will have to fetch user data wuth OAuth and login with OpenID?
Is it ok to use OAuth 2.0 in my scenario ? or it will be more simple to use 1.0 because i dont need user data anymore after initial account registration ? (i think 1.0 is more complex because it has 3 phases .. but 2.0 is more complex because access token expires.. but 开发者_高级运维 expiration wont be a problem in my scenario as i don't need user data after registration)
There are few libs lying out there: while reading google api docs i found:
- google-api-python-client
- openid-python-openid
- gdata-python-client ( supposed to be api to google services dont know if it has oauth in it hm.. according to this http://code.google.com/intl/ru/apis/gdata/docs/auth/oauth.html it have oauth in it )
- python-oauth-client (http://code.google.com/p/python-oauth-client/)
- i though thats a lot but then found: http://your-move.appspot.com ( source files: https://github.com/sje397/Chess ) which seems to be using google.app.engine lib from google.appengine.api import users
So which one to choose ?
So far i came that the simplest implementation would be: Like this: http://code.google.com/p/google-api-python-client/source/browse/samples/oauth2/django_sample/buzz/views.py But lines 38-44: in my case would fetch user email language and other stuff (and also i will use other scope .. line 29 ) for a new registered user.. or if it is registered user just ignore credential and delete it. ( continue with the site session ) Am i wrong ? I saw so many implementation on libs mentioned above that i doubt that i am right.
And also another question: my fallback legacy auth will use email as login.. If an identity provider is email provider ( google ).. When user tries to log in i can fetch email from provider.. and search email fetched from provider in database.. so i can find user. What if identity provider not an email provider: like facebook ? How i will search user in database ?

In my opinion, OpenID and OAuth 2.0 are two different concepts.

OpenID as its name explained mainly focused in manage Identity. So it is more like a framework or protocol to manage User Identity.
OAuth 2.0 was designed to provide a protocol which can make internet based applications manage authorization with some third party Authorization Providers. I do suggest you go through the IEFT OAuth 2.0 Spec before get your hand dirty. You can as well find some good information in this article A simplified explanation of OAuth2.0

Seems you wish your own website can handle user authorization by itself, that means in OAuth 2.0 area your own website is an AuthorizationServer.

To you question:

The scope are provided by the Authorization Provider, please refer to their documentation.
OAuth only provide the framework for authorizing your Web APP to access the Resource Owner's protected information. For the google example, the end user who authorize your app to access his/her protected information are still a google user unless your Web APP automatically create a user account for him/her in your own user account database - I think this step is what you mean Registration. OAuth doesn't cover anything about registration because it is out of the scope of authorization.
In you scenario you still have your own account database and wish users can authenticate themselves with username and password. OAuth 2.0 really can handle this scenario if you implement your own AuthorizationServer and use the “Resource Owner Password Credentials” auth flow.
I am not python guy, but I can tell you before you evaluate these libs you must understand different roles defined in OAuth 2.0 spec. Some of the libs play Authorization Server role, some play Resource Server role.

Why not just use the library, that does all the hard work of integrating with the open-id providers.

You can use SocialAuth, or any one of the other auth packages with similar functionality.

I would recommend not using Google or Facebook (or even worst Twitter) for testing OAuth/OpenID login as their setup is confusing, the scope is not clearly documented and requires SSL even on local to test. Instead I would suggest Github as it's more developer-friendly. SimpleLogin is also a good option (Disclaimer: I'm SimpleLogin founder) as it whitelists by default localhost to facilitate local development. Its doc is on https://docs.simplelogin.io.

If you want to learn more about OAuth/OpenID I think it's better to implement the redirection and callback yourself. Later it's better to use library to handle this though as they follow more closely the protocol. A very good article on this topic for Django is https://scotch.io/tutorials/django-authentication-with-facebook-instagram-and-linkedin.